Share via

Licenses and Certificates

  • Article

Licenses and certificates both refer to XrML structures that can be used for many things, such as proving identity, specifying and assigning rights to people or machines, and specifying permissible environments. The terms certificate and license are not distinct, although this documentation will use one or the other consistently to refer to a specific item (an end-user license, or a rights account certificate, for example).

Types of Licenses

An AD RMS client will typically encounter the following licenses.

License Description
End-User Licenses End-user licenses are for content or for an application that contains the keys necessary to open the content as well as the rights and conditions.
Machine Certificates Machine certificates hold the computer's public key and are tied to the lockbox.
Rights Account Certificates Rights account certificates tie a user to a machine certificate. Each user on the machine has a rights account certificate. The certificate contains the user's public key in cleartext, as well as their private key, which is encrypted by the machine's public key.
Issuance Licenses Issuance licenses are created by a content publisher and are used by the consumer to acquire an end-user license.
Manifests Manifests define the components that are loaded when the application starts up and the policy for the types of components that can be loaded. The permitted components can be loaded into a secure environment.
Client and Server Licensor Certificates Client and server licensor certificates allow a client to sign an issuance license, or allow a server other than a Microsoft server to issue a license or certificate.

Licenses and certificates for this version of Active Directory Rights Management are generated in XrML 1.2. Visit https://www.xrml.org for the XrML 1.2 specifications and schema. Note that although Active Directory Rights Management Services adheres to XrML standards, it does not use all the available structures.

Licenses and certificates are typically certificate chains, beginning at the root certificate (Pre-production or Production, issued by Microsoft) and continuing through the leaf certificate, such as the end-user license or rights account certificate. However, when one refers to a specific license, such as an end-user license, often one is referring only to the leaf XrML certificate on the chain that specifies the actual rights. To learn more about license chains, see Certificate Hierarchies.

Acquiring Licenses and Certificates

The following diagram shows the certificate chains that are used by the computer and how they are acquired.

Certificate chains used by the computer, and how they are acquired

This diagram shows enterprise license acquisition, with the user's computer in the trusted domain of the final issuer. Internet license acquisition is similar.

Note that the lockbox, machine certificate, and manifest-signing chain are all requested and supplied directly by Microsoft (the lockbox and machine certificate requests use a proxy when activating inside a corporate LAN). All other licenses are generated by other issuers, within the enterprise or over the Internet. Other than the machine certificates and secure repositories, Microsoft only issues top-level certificates, called server licensor certificates, that allow these issuers to issue end-user licenses, rights account certificates, and signed issuance licenses. However, Microsoft does not, and cannot, monitor or control license requests from these services. The only control Microsoft maintains is the ability to revoke a licensor's ability to deliver licenses.

Server licensor certificates periodically expire and must be renewed; this is to prevent an unauthorized or malicious licensor from operating indefinitely. Because all licenses periodically expire, protected content cannot be archived indefinitely by using one license. For more information, see License Validity Time.

For an example of a complete end-user license chain, see Sample End-User License Chain. Sample End-User License Chain shows a license chain that consists of five certificates:

  1. An end-user license for Misty at Blue Yonder Airlines, signed by (2).
  2. A server licensor certificate from Contoso USA, signed by (3).
  3. A server licensor certificate from Contoso North America, signed by (4).
  4. A server licensor certificate from Contoso International, signed by (5).
  5. A root certificate from the Pre-production chain, signed by itself.

Breaking up a license distribution system into a pyramid of license servers makes it easier to control a licensing system: if a distributor used only a single license server to issue millions of licenses, and that licensor were compromised, that licensor's certificate would have to be revoked, inconveniencing millions of users. On the other hand, if a pyramid of licensors is created and a low-level licensor is compromised and is revoked, it will affect fewer people. Of course, if a higher-level licensor is compromised in a pyramid, it will still affect many people. The disadvantage of a licensing pyramid is the complexity and effort required to acquire and maintain a larger number of licensors. You must find an appropriate balance between complexity, control, and revocation.

See Also

Querying Licenses
License Management
Certificate Hierarchies
License Validity Time
About Active Directory Rights Management Services
Extended Policy Template Information
Sample License and Certificate Files
DRMAcquireLicense

Send comments about this topic to Microsoft

Build date: 3/13/2008